How to fix npm vulnerabilities manually?

by

lodash-cli in devDependencies doesn’t affect how browser-sync works in your project, devDependencies are ignored when a package is installed as a dependency.

What audit report says is that it’s easy-extender that has lodash dependency:

browser-sync > easy-extender > lodash

It depends on Lodash 3, while the problem was fixed in Lodash 4. The problem could be fixed by forking easy-extender, updating it and installing it instead of the package from NPM public registry. But there is no real problem with this dependency.

audit report importance should be evaluated manually. Even if nested dependency has security risk, this doesn’t mean that a feature that introduces this risk was used. This also doesn’t mean that even if it’s used, it introduces real risk due to how it’s used.

browser-sync is development tool that isn’t used in production, there are not so many scenarios where its vulnerabilities could be exploited. And Prototype Pollution isn’t a vulnerability at all, just a notice that a package doesn’t follow good practices, it can be ignored.

Generally, this is the way to fix reported vulnerabilities:

  • Do a sanity check
  • In case it’s a real problem, check the repository of vulnerable package for existing issues and PRs
  • In case there’s none, submit an issue
  • Fork a repository or use use existing PR as git dependency until it’s fixed in NPM release
  • In case of nested dependencies, do this at several levels of nesting

Most times it’s expected that you won’t advance beyond a sanity check, and the only problem is that a “vulnerability” clutters audit report and conceals real vulnerabilities.

patch-package can help to patch nested dependencies in-place but this won’t affect the report.

It’s possible to force specific dependency version in nested dependency in Yarn 1 and 2 with resolutions field, this will affect audit report. It may be possible to do this natively in NPM in future. Currently the alternative in NPM is third-party npm-force-resolutions utility that gives less control, currently it forces a resolution for all dependencies, not a specific one.

Notice that by forcing a dependency to use nested dependencies it wasn’t designed to work with, it can become broken at any moment. This especially applies to npm-force-resolutions, which is a blunt tool and can affect many nested dependencies at once.

More Related Contents:

  1. What is the –save option for npm install?
  2. How can I update NodeJS and NPM to their latest versions?
  3. Local dependency in package.json
  4. How to set environment variables from within package.json?
  5. NPM modules won’t install globally without sudo
  6. How do I install a module globally using npm?
  7. Is there a way to get version from package.json in nodejs code?
  8. “message failed to fetch from registry” while trying to install any module
  9. NodeJS – Error installing with NPM
  10. How to use private Github repo as npm dependency
  11. npm ERR! Error: EPERM: operation not permitted, rename
  12. Installing Node.js (and npm) on Windows 10
  13. What is the difference between –save and –save-dev?
  14. npm install Error: rollbackFailedOptional
  15. How can I solve error gypgyp ERR!ERR! find VSfind VS msvs_version not set from command line or npm config?
  16. Error installing bcrypt with npm
  17. Purpose of installing Twitter Bootstrap through npm?
  18. npm install from Git in a specific version
  19. npm WARN npm npm does not support Node.js v9.1.0
  20. error: This is probably not a problem with npm. There is likely additional logging output above
  21. How to properly upgrade node using nvm
  22. How to deploy node app that uses grunt to heroku
  23. How to make the webpack dev server run on port 80 and on 0.0.0.0 to make it publicly accessible?
  24. DeprecationWarning: Buffer() is deprecated due to security and usability issues when I move my script to another server
  25. GYP ERR! build error. stack Error: ‘make’ failed with exit code 2
  26. What is the pwa-node type launch configuration on VSCode?
  27. bower command not found
  28. Get version number from package.json in React Redux (create-react-app)
  29. How do I override nested dependencies with `yarn`?
  30. How to store a file with file extension with multer?

Leave a Comment